[bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].

[bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].

[Ian Eure]

Updates the package and changes how the .desktop file is generated.  The
.desktop file the package had been using was removed upstream.

Fixes:

CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
               for Android
CVE-2024-9392: Compromised content process can bypass site isolation
CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
CVE-2024-9394: Cross-origin access to JSON contents through multipart
               responses
CVE-2024-9395: Specially crafted filename could be used to obscure download
               type
CVE-2024-9396: Potential memory corruption may occur when cloning certain
               objects
CVE-2024-9397: Potential directory upload bypass via clickjacking
CVE-2024-9398: External protocol handlers could be enumerated via popups
CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
               service
CVE-2024-9400: Potential memory corruption during JIT compilation
CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
               Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
               Thunderbird 131, and Thunderbird 128.3
CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
CVE-2024-9680: Use-after-free in Animation timeline

* gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.

Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
---
 gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
 1 file changed, 13 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 31de7a7171..4b91132d9b 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20241005085731")
+(define %librewolf-build-id "20241010143544")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "130.0.1-1")
+    (version "131.0.2-1")
     (source
      (origin
       (inherit (make-librewolf-source
                 #:version version
-                #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
-                #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
+                #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
+                #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -619,33 +619,24 @@ (define (runpaths-of-input label)
                    (add-after 'wrap-program 'install-desktop-entry
                      (lambda* (#:key outputs #:allow-other-keys)
                        (let* ((desktop-file
-                               "taskcluster/docker/firefox-snap/firefox.desktop")
+                               "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
                               (applications (string-append #$output
                                              "/share/applications")))
                          (substitute* desktop-file
-                           (("^Exec=firefox")
+                           (("^Exec=@MOZ_APP_NAME@")
                             (string-append "Exec="
                                            #$output "/bin/librewolf"))
-                           ;; "Firefox" -> "LibreWolf" everywhere
-                           (("Firefox")
+                           (("@MOZ_APP_DISPLAYNAME@")
                             "LibreWolf")
-                           ;; Remove non-Latin translations.
-                           (("^Name\\[(ar|bn)\\].*$")
-                            "")
-                           (("^Icon=.*")
+                           (("@MOZ_APP_REMOTINGNAME@")
+                            "LibreWolf")
+                           (("^Icon=@MOZ_APP_NAME@")
                             (string-append "Icon="
                              #$output
-                             "/share/icons/hicolor/128x128/apps/librewolf.png
-"))
-                           ;; These commands were changed.
-                           (("-NewWindow")
-                            "-new-window")
-                           (("-NewPrivateWindow")
-                            "-new-private-window")
-                           (("StartupNotify=true")
-                            "StartupNotify=true\nStartupWMClass=LibreWolf"))
+                             "/share/icons/hicolor/128x128/apps/librewolf.png")))
+
                          (copy-file desktop-file "librewolf.desktop")
-                         (install-file "librewolf.desktop" applications))))
+                         (install-file "librewolf.desktop" (string-append applications)))))
                    (add-after 'install-desktop-entry 'install-icons
                      (lambda* (#:key outputs #:allow-other-keys)
                        (let ((icon-source-dir (string-append #$output
-- 
2.46.0

[bug#73742] QA review for 73742

[Rutherther via Guix-patches via]

user guix
usertag 73742 + reviewed-looks-good
thanks

Applies and builds fine, works fine. This is probably quite critical
as there is a vulnerability that is reported to be exploited
in the wild by Mozilla regarding animations.
See https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680

Apart from the security fixes this seems to also fix sound
problems for me that I had with previous version. Or maybe
some dependency update caused this, not sure.

Regards,
Rutherther

[bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].

[Hilton Chain via Guix-patches via]

Hi Ian,

Thanks for the patch, I'll make two minor changes (see details below) when
pushing it.

On Fri, 11 Oct 2024 12:42:18 +0800,
Ian Eure wrote:
>
> Updates the package and changes how the .desktop file is generated.  The
> .desktop file the package had been using was removed upstream.
>
> Fixes:
>
> CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
>                for Android
> CVE-2024-9392: Compromised content process can bypass site isolation
> CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
> CVE-2024-9394: Cross-origin access to JSON contents through multipart
>                responses
> CVE-2024-9395: Specially crafted filename could be used to obscure download
>                type
> CVE-2024-9396: Potential memory corruption may occur when cloning certain
>                objects
> CVE-2024-9397: Potential directory upload bypass via clickjacking
> CVE-2024-9398: External protocol handlers could be enumerated via popups
> CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
>                service
> CVE-2024-9400: Potential memory corruption during JIT compilation
> CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
>                Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
>                Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
> CVE-2024-9680: Use-after-free in Animation timeline
>
> * gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.
>
> Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
> ---
>  gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
>  1 file changed, 13 insertions(+), 22 deletions(-)
>
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 31de7a7171..4b91132d9b 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
>  ;; Update this id with every update to its release date.
>  ;; It's used for cache validation and therefore can lead to strange bugs.
>  ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20241005085731")
> +(define %librewolf-build-id "20241010143544")
>
>  (define-public librewolf
>    (package
>      (name "librewolf")
> -    (version "130.0.1-1")
> +    (version "131.0.2-1")
>      (source
>       (origin
>        (inherit (make-librewolf-source
>                  #:version version
> -                #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
> -                #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
> +                #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
> +                #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
>      (build-system gnu-build-system)
>      (arguments
>       (list
> @@ -619,33 +619,24 @@ (define (runpaths-of-input label)
>                     (add-after 'wrap-program 'install-desktop-entry
>                       (lambda* (#:key outputs #:allow-other-keys)
>                         (let* ((desktop-file
> -                               "taskcluster/docker/firefox-snap/firefox.desktop")
> +                               "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
>                                (applications (string-append #$output
>                                               "/share/applications")))
>                           (substitute* desktop-file
> -                           (("^Exec=firefox")
> +                           (("^Exec=@MOZ_APP_NAME@")
>                              (string-append "Exec="
>                                             #$output "/bin/librewolf"))

1. Add a %u[1] after "/bin/librewolf".

[1]: https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html

> -                           ;; "Firefox" -> "LibreWolf" everywhere
> -                           (("Firefox")
> +                           (("@MOZ_APP_DISPLAYNAME@")
>                              "LibreWolf")
> -                           ;; Remove non-Latin translations.
> -                           (("^Name\\[(ar|bn)\\].*$")
> -                            "")
> -                           (("^Icon=.*")
> +                           (("@MOZ_APP_REMOTINGNAME@")
> +                            "LibreWolf")
> +                           (("^Icon=@MOZ_APP_NAME@")
>                              (string-append "Icon="
>                               #$output
> -                             "/share/icons/hicolor/128x128/apps/librewolf.png
> -"))
> -                           ;; These commands were changed.
> -                           (("-NewWindow")
> -                            "-new-window")
> -                           (("-NewPrivateWindow")
> -                            "-new-private-window")
> -                           (("StartupNotify=true")
> -                            "StartupNotify=true\nStartupWMClass=LibreWolf"))
> +                             "/share/icons/hicolor/128x128/apps/librewolf.png")))
> +
>                           (copy-file desktop-file "librewolf.desktop")
> -                         (install-file "librewolf.desktop" applications))))
> +                         (install-file "librewolf.desktop" (string-append applications)))))

2. Remove this string-append.

>                     (add-after 'install-desktop-entry 'install-icons
>                       (lambda* (#:key outputs #:allow-other-keys)
>                         (let ((icon-source-dir (string-append #$output
> --
> 2.46.0
>
>
>
>

bug#73742: [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].

[Hilton Chain via Guix-patches via]

Hi Ian, and Rutherther, thank you for the review.

Applied as cdb262e993a2ffdf49f7995cc12fa523d4578c05 with changes mentioned in my
previous mail.

Thanks